Educause Security Discussion mailing list archives
Re: MFA/2FA Implementation Questions
From: Greg Williams <gwillia5 () UCCS EDU>
Date: Tue, 4 Feb 2020 17:50:05 +0000
We had a very successful rollout. Some stats and gotcha's: 21k accounts currently protected 15 initially didn't have a phone so we opted those people out 90% decrease year over year with successful phishing attacks with conditional access enabled The attackers will actually bypass modern auth if you don't enforce it , therefore bypassing conditional access. This is a security risk. We found this out a year after we turned on MFA. How we did it: Communicate to EVERYONE multiple times over a 3 month period and gave deadlines to answer the questions that are presented upon login before fully enforcing. Greg Williams, ME Director of Operations Office of Information Technology Adjunct Faculty Department of Computer Science - College of Engineering and Applied Science University of Colorado Colorado Springs 1420 Austin Bluffs Parkway, (EPC 144) Colorado Springs, CO 80918 Phone: (719) 255-3292<tel:(719)%20255-3292> Chat with me on Microsoft Teams<https://teams.microsoft.com/l/chat/0/0?users=gwillia5 () uccs edu> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Pardonek, Jim Sent: Tuesday, February 4, 2020 8:26 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] MFA/2FA Implementation Questions Hi All, Our MFA project has hit a few snags and our senior leadership is asking us to gather more information from other schools to identify and potential issues. Rather than Duo, the university opted for Microsoft and although mostly smooth so far, we still have some nagging problems that keep coming up. One that has come up as of late is modern auth support for android email. Seems like 3 months ago, the answer for anyone with an android was install the Outlook client. What we have been finding is that Samsung phones, for example, S7 or later that have a minimum email client version of 6.1.01.0 work with modern auth. Given the rabbit hole that androids can make. We are now being asked to test as many makes, models and versions of android phone that we can get our hands on. If anyone has done this research, we would appreciate any insight. I've asked this on a previous post but got no responses but thought I'd ask again regarding exception groups. Our current stance is to except Board members, Council of Regents and alumni. We would be interested in seeing what other schools are doing. Lastly if you would be kind enough to share any pitfalls, constraints and roadblock as well as implementation recommendations, we would greatly appreciate it. Thanks in advance. James Pardonek, MS, CISSP, CEH, GSNA Associate Director Chief Information Security Officer Loyola University Chicago 1032 W. Sheridan Road | Chicago, IL 60660 *: (773) 508-6086 Loyola University Chicago will never ask you for your username or password. For the latest information security news at Loyola, please follow us online, Twitter: @LUCUISO Facebook: https://www.facebook.com/lucuiso/<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Flucuiso%2F&data=02%7C01%7Cgwillia5%40UCCS.EDU%7Ca998e883225c4d0ca72c08d7a9868857%7C529343fae8c8419fab2ea70c10038810%7C1%7C0%7C637164267603514502&sdata=8%2F0%2BcCLr8rqSIeqGzoOxK6HAPwaNAG1iEBykIdCr%2F5c%3D&reserved=0> Our Blog http://blogs.luc.edu/uiso/ ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cgwillia5%40UCCS.EDU%7Ca998e883225c4d0ca72c08d7a9868857%7C529343fae8c8419fab2ea70c10038810%7C1%7C0%7C637164267603519493&sdata=GmdezQhi3Eq20lwyBI%2BTNxEg3OJTMe3s24zanhBD9Tw%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- MFA/2FA Implementation Questions Pardonek, Jim (Feb 04)
- Re: MFA/2FA Implementation Questions Barton, Robert W. (Feb 04)
- Re: MFA/2FA Implementation Questions Blake M Bourgeois (Feb 04)
- Re: MFA/2FA Implementation Questions Bandy, John (Feb 04)
- Re: MFA/2FA Implementation Questions Jamie Schademan (Feb 04)
- Re: MFA/2FA Implementation Questions Greg Williams (Feb 04)